Imagine the following scenario:
In a given cryptocurrency, privacy should be as high as possible.
For this purpose, a new account with a new address is created for every incoming transaction (the address is the public key of a private/public key pair). However, users are not always online to generate new accounts with new addresses as soon as someone wants to send them money. Therefore, all users should be able to create new accounts with new addresses for other users when they want to send money to someone. Of course, only the recipient should be able to spend money transferred to accounts created for him by other people.
All of this is supposed to be based on ECC, i.e. an extension of the ECDSA algorithm, so to speak.
But as just described in the cryptocurrency example, only the person for whom a public key was generated is allowed to sign messages for this public key or decrypt data that was encrypted with this public key.
Since the security of the used cryptographic algorithm is crucial for a cryptocurrency, only by NIST and SECG pre-made and standardized curve parameters which are known to be secure and efficient will be used.
The only technical changes to be considered are as follows:
Note: Since the address of an account will be the corresponding public key of a key pair, the term "address" and "public key" will be used interchangeably in the following.
Parameters from the ECDSA algorithm:
- $d$ = randomly generated private key
- $G$ = base point of the elliptic curve
Changes:
- The available interval for private keys is reduced from $[1, n - 1]$ to $[1, \frac{n}{2} - 1]$
- As with public key generation, a point $P$ is calculated as follows: $P = d \times G$. This point $P$ forms the so-called delegated address generation key (DAG Key).
- To generate an address (public key) for another person, a random so-called address randomization key (AR Key) ($i$) with the same interval as that of the private key ($[1, \frac{n}{2} - 1]$) must be generated
- To generate an address for an arbitrary person, the DAG key ($P$) of this person is added with the multiplication of the AR key ($i$) and the base point ($G$): $Q = P + i \times G$. Since $P$ is $d \times G$, the following must hold: $Q = P + i \times G = (d + i) \times G$. This point $Q$ forms the new address for the person whose DAG key was used for the calculation.
Example:
- Alice creates a randomly generated private key ($d$).
- Alice uses her private key to generate the DAG key ($P$)
- Alice makes the DAG key publicly available
- Bob wants to generate an address (a public key) for Alice and gets the DAG key from Alice to do so
- Bob creates a randomly generated AR key
- Bob generates a new address for Alice using Alice's DAG key and the AR key generated in the previous step
- Bob sends an amount to the newly created address
- Bob sends the AR key to Alice
- Only Alice can send money from this address, because she is the only one who can create valid signatures for the newly created address (the public key). To do this, she simply needs to calculate the private key to this address as follows: $d + i$ (addition of her private key $d$ and the AR key $i$ created by Bob).
Questions:
Is it even theoretically possible to delegate public key generation?
If so, would such a change to the standard ECDSA algorithm be feasible? In other words, to create public keys for other people without knowing or revealing the private key to that public key?
Or is there a better approach to solve this problem?